Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bookseller Intercepted Email

Posted by jamie on from the ex-libris dept.

jconley writes "In this somewhat scary story, an online rare book dealer, Alibris, intercepted e-mail between its clients and Amazon.com. It amounts to online wiretapping." Read the story at CNET. Alibris pled guilty but says (basically) it was a misunderstanding. The penalty: a quarter-million dollar fine - are other corporations paying attention?

6 of 103 comments (clear)

  1. Sounds like a screwup by Otto · · Score: 5

    According to chief executive Martin Manley, the company broke the law when it tried to rectify complaints from some clients who said they weren't receiving email messages from Amazon. In tracking such messages to determine the problem, the company unlawfully captured the messages, although Manley said it did not read them.

    Okay, let's first set the ground rules here...

    According to their web site, Alibris is not wholy a bookstore.

    Alibris uses the Internet to enable hundreds of independent booksellers around the world to sell treasured books to consumers, libraries, wholesalers, and retail stores.

    My guess is that the predecessor of Alibris mostly specialized in a book-finding service.. Anyone have any information on that?

    Anyway, looks like the e-mail system they had allowed users to get an email with them to try to find old and rare books and so forth. Sounds kinda cool actually.

    Probably they had some mail problems with Amazon, and set the thing to intercept messages to see what was wrong.

    I'd give them the benefit of the doubt. An e-mail provider must be able to look at messages to resolve problems in routing or what have you. Perhaps not actual message content, but that's hard to distinguish, since the info they need and the info that should be private are not wholly separated.

    ---

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  2. Here's why the government cares by / · · Score: 5

    The government cares about such invasions of privacy on the part of individuals and corporations because, quite frankly, it encroaches upon the prerogative of the state. Just as the state is to have a monopoly on violence in society, so is the state wish to have a monopoly on the invasion of privacy: Echelon, et al. Just as common murder challenges the king's authority as the only legitimate source of death within his realm, so does common wiretapping do as much in this matter.

    Hopefully, we can concentrate all of these atrocities within the state and then geld the state with constitutional amendments, as we have in the US concerning torture and the constitutional prohibition against cruel and unusual punishments. Alas, my cynicism would counsel otherwise.

    --
    "If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
  3. Sounds like this is taken out of context by JTB · · Score: 5
    If I understand correctly, what happened went like this:
    • The defendent provides a service to help people find rare books, via email. For example, Customer X tells the defendant, "I want an original manuscript of Plato's Republic. Please contact online booksellers and have them contact me if they have this book."
    • The defendent contacts many online booksellers telling anyone with an original manuscript of Plato's Republic to email Customer X.
    • Customer X doesn't get any responses from Amazon, and contacts the defendant saying, "Hey, I'm not getting any messages from Amazon."
    • After several Customer Xs complain, the defendant attempts to figure out why messages from Amazon aren't going through, so they capture messages sent from Amazon to their users. Not for the purpose of reading them (because we already know what Customer X wants to buy), but for the purpose of seeing where the messages die.
    • Someone throws a hissy-fit, a federal judge steps in, and $250,000 later, we can all go back to being productive.

    Sounds like a waste of everyone's time.
  4. Need for secure e-mail by alexhmit01 · · Score: 5

    My concern with this, is that plaintext e-mail isn't the same as post office e-mails. Those are sealed. I would argue that plaintext e-mail is akin to a postcard, anyone on the network CAN read it. In fact, the ISP HAD to intercept the e-mail electronically (there machines had to see a copy of it), so it's just a question of them logging it. If they log all the bits coming across their network, is that also a wire tap? It is THEIR network, how is it illegally wire tapping for them to monitor stuff on their network?

    On the other hand, this makes the case for a need to replace plaintext e-mail. Plaintext e-mail may serve a purpose (you're out of town and go to a Cybercafe and fire off a quick, all is good, we arrived safely, take care, message), but real e-mail should be encrypted (placed in a sealed envelope) and signed.

    Alex

  5. Re:Lessons Learned by DiningPhilosopher · · Score: 4

    I don't understand why control of the actual mailbox is so important when you can't possibly control all of the intermediate sites which relay your mail from one place to another... Okay, your ISP doesn't have direct access to the mail you've already received, but they could easily have records of everything coming and going one level up...

    The only real solution is encryption. Any number of people can read your email as it goes through their servers - unless they need a key to do so. Until the use of strong encryption is widespread we'll all be sending our mail on postcards.

    --
    /* The beatings will continue until morale improves. */
  6. PGP != PKI by DiningPhilosopher · · Score: 4

    You're absolutely right, everyone needs to start using encrypted email. A PKI (Public Key Infrastructure) will also be necessary - however, PGP doesn't provide one.

    PKIs are designed to solve the problem of key exchange - we all trust a central authority to sign my key and verify that it actually belongs to me. PGP doesn't solve this problem. It relies on the user to establish his own unspoofable channel (e.g. face-to-face exchange) for verification of keys.

    If you plan to use someone's PGP public key you MUST verify the signature with that person in an unspoofable way or the whole system falls apart. Thus PGP can't work for widespread communications security (Don't get me wrong - I use it and love it). Instead we need a real, traditional PKI. Which introduces many more problems (Who gets to sign certificates and who doesn't? If I notify them that my key has been compromised, how do they notify everyone who has that key? And so on.)

    There's a whole industry built around this (and I work in it). There's no simple solution.

    --
    /* The beatings will continue until morale improves. */